Research May Hasten Death of Mobile Privacy Standard

Researchers at a computer security conference in Washington, D.C. this week detailed a method for dramatically reducing the cost and time needed to crack the security that prevents eavesdropping of GSM-based mobile phones.

The weaknesses in the GSM encryption technology -- a 64-bit scheme known as A5/1 -- were first detailed nearly a decade ago, but cracking the code has generally required a great deal of patience and some very expensive hardware (with hardware costs alone exceeding $1 million). U.S. based GSM carriers -- including AT&T and T-Mobile -- as well as most European GSM providers are among the dozens of mobile providers and billions of handsets worldwide using A5/1 as their privacy standard.

Most of the previously detailed methods for cracking A5/1 encrypted GSM communications involved "active attacks," injecting data packets into the carrier's system or circumventing the encryption altogether by tricking a nearby target's phone into connecting to a bogus, unencrypted relay station controlled by the attacker. But researchers David Hulton and Steve Miller say their method relies on a purely passive attack, which can be done remotely and takes advantage of massive advances in parallel computing power to crunch through a listing of all possible GSM encryption keys in a matter of minutes.

The duo's new discovery means the ability to hack into one of these devices could be easier (and more affordable) for both government agencies, law enforcement, hobbyists and would-be thieves.

Miller and Hulton are currently about halfway through the process of generating a giant set of tables listing nearly all of the possible key combinations, which they plan to publish sometime in March for anyone to use. Armed with those tables, a minimum of two terabytes of hard drive space and a computer equipped with at least one hardware device known as a "field-programmable gate array" or FPGA, an attacker could theoretically decrypt a previously recorded GSM phone call or text message in about one hour, with roughly a 95 percent chance of success, Hulton told attendees at the annual "Shmoocon" security conference on Friday.

Total cost for the entire project: around $1,000 to $1,500. Increase the number of hard drive space and/or add more FPGAs, and the time to decrypt drops to around 30 minutes, the researchers said.

Hulton is director of security communications for Pico Computing, a company that manufacturers powerful FPGA devices designed for use in desktop and mobile computers. Hulton said Pico plans to commercialize the technology, which will use the still uncompleted encryption key tables in conjunction with far more powerful hardware devices capable of cracking almost any GSM encryption key within 30 seconds.

In order to intercept the actual encrypted communications, attackers would need to purchase a $700 hardware receiver capable of receiving any GSM frequency from zero to 3.0 Gigahertz. By initiating a call or sending a text message to the target's phone, an attacker could learn the target's mobile subscription identification number and the equipment ID tied to his or her phone, two pieces of information that are unique to each GSM mobile subscriber (data points that are needed to intercept a target's encrypted GSM communications). This would be the easiest way to gather the ID information, but attackers also could collect the same data passively by waiting for the target to initiate a communication, the researchers said.

This information can be intercepted, Miller said, because the providers all send it in plain text over the network, even though the GSM technical specifications advise providers to encrypt that information as well.

"When we wrote our receiver and looked at the network, we actually saw clear text data flowing over the network all the time," Miller told Security Fix. "So, the network providers are pretty much all in violation of the standards. But there's no reason for them to follow it, because no one ever bothers checking."

David Pringle, a spokesperson for the GSM Association (GSMA), declined to comment on the specifics of the duo's research, saying engineers there hadn't had time to review it. But he defended the security and resiliency of the A5/1 privacy algorithm, saying the attacks detailed to date have been more theoretical than practical.

"Over the past few years, a number of academic papers setting out, in theory, how the A5/1 algorithm could be compromised have been published," the GSMA said in a statement. "However, none to date have led to a practical attack capability being developed against A5/1 that can be used on live, commercial GSM networks."

Still, the association says it has been working to "further enhance privacy protection on GSM networks and has developed a new high-strength algorithm, A5/3," which it claims is being phased in among carriers to replace A5/1.

The association said it "closely monitors the work of groups, such as the 'A5 Cracking Project'," and that it is "working through the appropriate standards bodies to ensure all stakeholders understand the implications of this work."

Meanwhile, the two researchers said barring any legal interference, they plan to demonstrate their method Wednesday in a related presentation at Black Hat D.C., a security conference being held this week here in Washington.

The slides from Hulton's Shmoocon presentation contain far more technical details on their research. They are available at this link here (PDF).

From the slides:
(14) the machine generating the tables took 68 FPGAs at around 1500 A PIECE, and is still going to take 3 months.

(16)the machine to do the cracking is going to take 32 FPGAs to crack the GSM session ID in about 30 seconds, so its more like $50k+ to build something to crack GSM "on the fly" along with other equipment to actually find, locate, and target a specific phone number.

probably a bit out of the range for the average "curious" person. The cheap version takes 30 minutes to crack the session id that is unique for each call, so it better be a long phone call.

i didnt catch him say anything about recorded calls in the talk, so perhaps that will work if its true.

CG - I interviewed both researchers after David's presentation and specifically asked if it could be decrypted from a recording, and they said absolutely. So it wouldn't matter if it took 30 minutes or an hour to decrypt the recorded conversation.

If anybody really wants to eavesdrop on my messages, they're welcome. Typical calls: "Do you want Cheerios or Crispix this week? They're both on sale." "I'm at North and 92nd, so I'll be home in 10 minutes." "Hi, Mom, I'm back at the dorm now, safe and sound."

Privacy and wireless (cell, Wi-Fi, etc.) just don't mesh very well together even with the use of encryption due to the simple fact the RF (radio frequency) signal can be picked out of the air. In comparison, hardwired requires a physical connection making it much more difficult to "sniff" the communications.

Thus, for my personal comfort level, I always treat wireless communications like talking in public and avoid divulging sensitive information.

I think the GSM cracking schemes are a good example of nerds gone wild: "we can do it because we can", not from any real viable business case. I mean, who cares if it's Crispix or Cheerios? Also, who's careless enough to transmit national security stuff over the airwaves?

@Pete "who's careless enough to transmit national security stuff over the airwaves?" Man the last 3 incidents i've worked were system administrators using OS passwords like "welcome" and then a brute force bot getting shell access. Point being that even people responsible for security are careless.

What this says, to me anyway, is that people have always been much more concerned about strangers in close proximity than in competitors who might be listening in. Makes no sense, but that seems to be the way consumers like it.

Just owning a receiver capable of receiving cell phone bands is a Felony in the eyes of the Federal Govt. per amendments to the Communications Privacy Bill of 1934, Interception of communications, section 206. Felony conviction can land you in Federal prison for not more than 10 Years and up to a $50,000 fine.
Although researching this topic I found several court cases that put the figure of such modified receivers at or near 20 million in the U.S.

Modification of a cell phone for same is covered by this statute as well.

So before you go investing in multiple high power computers and program some FPGAs I would think twice about whether you really need to know what brand of ceral someone is buying for tomorrow's breakfast.